You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2017/03/06 23:15:11 UTC

nifi-site git commit: Updated security page with CVE-2017-5635 and CVE-2017-5636.

Repository: nifi-site
Updated Branches:
  refs/heads/master 4d8f411bd -> cf05c9e81


Updated security page with CVE-2017-5635 and CVE-2017-5636.


Project: http://git-wip-us.apache.org/repos/asf/nifi-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi-site/commit/cf05c9e8
Tree: http://git-wip-us.apache.org/repos/asf/nifi-site/tree/cf05c9e8
Diff: http://git-wip-us.apache.org/repos/asf/nifi-site/diff/cf05c9e8

Branch: refs/heads/master
Commit: cf05c9e81a85d1b4f85acf80253fbc9455c413d6
Parents: 4d8f411
Author: Andy LoPresto <al...@apache.org>
Authored: Mon Mar 6 15:06:08 2017 -0800
Committer: Andy LoPresto <al...@apache.org>
Committed: Mon Mar 6 15:06:08 2017 -0800

----------------------------------------------------------------------
 src/pages/html/security.hbs | 44 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi-site/blob/cf05c9e8/src/pages/html/security.hbs
----------------------------------------------------------------------
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 52ec332..8ade764 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -7,6 +7,48 @@ title: Apache NiFi Security Reports
 <div class="medium-space"></div>
 <div class="row">
     <div class="large-12 columns features">
+        <h2>Fixed in Apache NiFi 0.7.2 and 1.1.2</h2>
+    </div>
+</div>
+<div class="row">
+        <div class="large-12 columns">
+            <p><b>CVE-2107-5635</b>: Apache NiFi Unauthorized Data Access In Cluster Environment</p>
+            <p>Severity: <b>Important</b></p>
+            <p>Versions Affected:</p>
+    <ul>
+      <li>Apache NiFi 0.7.0</li>
+      <li>Apache NiFi 0.7.1</li>
+      <li>Apache NiFi 1.1.0</li>
+      <li>Apache NiFi 1.1.1</li>
+    </ul>
+      </p>
+      <p>Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the \u201canonymous\u201d user. </p>
+      <p>Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a static constant anonymous user).  This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2.  1.x users running a clustered environment should upgrade to 1.1.2.  0.x users running a clustered environment should upgrade to 0.7.2.  Additional migration guidance can be found <a href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
+      <p>Credit: This issue was discovered by Leonardo Dias in conjunction with Matt Gilman.</p>
+        </div>
+     </div>
+</div>
+<div class="row">
+        <div class="large-12 columns">
+            <p><b>CVE-2107-5636</b>: Apache NiFi User Impersonation In Cluster Environment</p>
+            <p>Severity: <b>Moderate</b></p>
+            <p>Versions Affected:</p>
+    <ul>
+      <li>Apache NiFi 0.7.0</li>
+      <li>Apache NiFi 0.7.1</li>
+      <li>Apache NiFi 1.1.0</li>
+      <li>Apache NiFi 1.1.1</li>
+    </ul>
+      </p>
+      <p>Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. </p>
+      <p>Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input).  This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2.  1.x users running a clustered environment should upgrade to 1.1.2.  0.x users running a clustered environment should upgrade to 0.7.2.  Additional migration guidance can be found <a href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
+      <p>Credit: This issue was discovered by Andy LoPresto.</p>
+        </div>
+     </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+    <div class="large-12 columns features">
         <h2>Fixed in Apache NiFi 1.0.1 and 1.1.1</h2>
     </div>
 </div>
@@ -21,7 +63,7 @@ title: Apache NiFi Security Reports
 		</ul>
 	    </p>
 	    <p>Description: There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.</p>
-	    <p>Mitigation: 1.0.0 users should upgrade to 1.0.1 or 1.1.1.  1.1.0 users should upgrade to 1.1.1. Additional migration guidance can be found <a href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a></p>
+	    <p>Mitigation: 1.0.0 users should upgrade to 1.0.1 or 1.1.1.  1.1.0 users should upgrade to 1.1.1. Additional migration guidance can be found <a href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
 	    <p>Credit: This issue was discovered by Matt Gilman of the Apache NiFi PMC during a code review.</p>
         </div>
      </div>